Your events, normalized. Your integrations, simplified. Real security in real-time.
Stop wrestling with inconsistent log formats. LiteSOC automatically maps 40+ messy log formats into 26 Standard Security Events—giving you a unified view across your entire stack.
{
"evt": "usr_login",
"ok": true,
"u_id": "12345",
"ts": 1708934400000,
"ip_addr": "192.168.1.1",
"browser_info": "Chrome/121"
}{
"event_type": "user.login.success",
"actor_id": "12345",
"timestamp": "2024-02-26T12:00:00Z",
"ip": "192.168.1.1",
"user_agent": "Chrome/121",
"geo": { "city": "SF", "country": "US" }
}No heavy agents. No complex deployments. Just a simple REST API call from your existing codebase. Start tracking security events in minutes, not months.
// That's it. You're secure.
await litesoc.track({
event_type: "user.login.success",
actor_id: user.id,
metadata: { method: "oauth" }
});user.login.successuser.login.failureuser.logoutuser.createduser.deleteduser.password.changeduser.mfa.enableduser.mfa.disableduser.role.changeduser.session.createduser.session.revokedapi.key.createdapi.key.revokedpermission.grantedpermission.revokeddata.accesseddata.exporteddata.deletedsettings.updatedbilling.updatedsecurity.brute_forcesecurity.impossible_travelsecurity.geo_anomalysecurity.suspicious_ipsecurity.rate_limitedsecurity.unauthorizedMachine learning meets security. Detect threats humans miss, automatically.
If a user logs in from Tokyo and then London 10 minutes later, that's physically impossible. We calculate real-world travel speed using the Haversine formula to detect credential theft instantly.
We build a 30-day baseline of each user's login locations. When someone suddenly appears from a high-risk country, you'll know immediately.
Automated detection of password-guessing attacks with configurable thresholds based on your plan.
Our brute force detection system monitors user.login.failure events in real-time, correlating them by user ID and IP address to identify credential-guessing attacks.
{
"alert_type": "brute_force_attack",
"severity": "high",
"actor_id": "user_12345",
"metadata": {
"attempt_count": 12,
"time_window_minutes": 5,
"unique_ips": ["203.0.113.1", "203.0.113.2"],
"first_attempt": "2024-02-26T14:00:00Z",
"last_attempt": "2024-02-26T14:04:32Z"
},
"recommendations": [
"Force password reset",
"Enable MFA",
"Review account activity"
]
}We build a behavioral profile of each user's typical login locations over 30 days. When a login originates from a new country—especially one flagged as high-risk—an anomaly alert is triggered.
Logins from these countries automatically trigger critical-severity alerts:
If two logins from the same user occur from locations that would require traveling faster than commercial aircraft (500+ mph), the account is likely compromised.
a = sin²(Δlat/2) + cos(lat₁) × cos(lat₂) × sin²(Δlon/2) c = 2 × atan2(√a, √(1−a)) distance = R × c // R = 6,371 km (Earth radius)
speed_mph = (distance_km / time_hours) × 0.621371
if speed_mph > 500:
trigger_alert("impossible_travel")Map data © Mapbox © OpenStreetMap
Enterprise customers can define custom detection rules tailored to their specific threat landscape. Create rules based on event patterns, metadata conditions, and time-based triggers.
data.exported events > 5 in 1 houruser.role.changed to 'admin' outside business hoursapi.key.created > 3 in 24 hours for same useruser.session.created from > 5 unique IPs in 1 hour{
"name": "Bulk Data Export Alert",
"enabled": true,
"conditions": {
"event_type": "data.exported",
"count": { "gte": 5 },
"time_window": "1h",
"group_by": "actor_id"
},
"severity": "high",
"actions": [
{
"type": "alert",
"channels": ["slack", "email"]
},
{
"type": "webhook",
"url": "https://api.yourapp.com/security"
}
]
}Every event tells a story. We help you read it with precision.
Click any event to open a detailed side-drawer with everything you need to investigate:
Every IP is enriched with network intelligence to flag suspicious sources.
Pass audits with confidence. Built for SOC 2, GDPR, and enterprise requirements.
Every action in LiteSOC is logged with immutable audit trails. Export-ready for SOC 2 Type II, GDPR Article 30, and ISO 27001 audits.
{
"action": "settings.api_key.regenerated",
"actor_id": "user_123",
"timestamp": "2024-02-26T14:32:00Z",
"ip": "203.0.113.50",
"changes": { "api_key": "[REDACTED]" }
}Fine-grained permissions with 4 distinct roles. Control who sees what across your organization.
Control exactly which domains can send events to your LiteSOC instance. Supports wildcard subdomains for dynamic environments.
*.example.comSilence noise from trusted sources. Whitelist your office IPs, CI/CD servers, or internal infrastructure using CIDR notation.
192.168.1.0/2410.0.0.0/8203.0.113.50/32Built by developers, for developers. Integrate in minutes with your favorite tools.
Official SDKs for the most popular backend languages. Type-safe, well-documented, and actively maintained.
npm i litesocpip install litesoccomposer require litesoc/litesocGet alerted where your team already works. Native integrations with secure webhook signing.